The easiest method of administering Windows Firewall is centrally, by using Active Directory (AD) and Group Policy Objects (GPOs). I recommend that you group all computer accounts together in organizational units (OUs), with each OU representing the function or functions that each computer it contains is used for. For each OU, you can create GPOs with Windows Firewall settings that represent the exceptions needed for applications running on computers contained within the OUs. Web Figure 1 shows the Microsoft Management Console (MMC) Group Policy Object snap-in with the Windows Firewall settings. Installing either Windows Server 2003 Service Pack 1 (SP1) or Windows XP SP2 adds the necessary MMC Windows Firewall extensions to the snap-in.
Web Table 1 lists my recommended GPO settings for Domain and Standard profiles for Windows Firewall on XP SP2; these settings are based on Microsoft’s recommendations. Microsoft provides no recommendations for Windows Firewall on Windows 2003 SP1 because the firewall is disabled by default.
Using GPOs to define application and port exceptions can be tricky because the snap-in doesn't guide you through the process of defining those exceptions very well. Application exceptions are strings that take the following format:
: : :
The executable path component can use environment variables such as %ProgramFiles%, which can greatly simplify creating exception rules. The scope component refers to the IP addresses or subnets (which take the form network/mask) from which traffic will be accepted. Separate the list of addresses and subnets by commas. You can also specify an asterisk (*) for the scope, which tells Windows Firewall to accept traffic from anywhere, or the value localsubnet, which is a placeholder for the subnets that the host is directly connected to via its interfaces. The status component is either enabled or disabled and defines whether the application is permitted to establish listening endpoints. The last component, name, is used to define a friendly name for the application and is displayed in the Windows Firewall GUI.
You define port exceptions by using a similar format:
: : : :
Port refers to the port number between 1 and 65,535 that the permitted application listens on (e.g., 80 for HTTP or 110 for POP3). Transport is either TCP or UDP, as appropriate. The scope, status, and name parameters are the same as for application exceptions.
When you enable exceptions for the built-in services—Remote Administration, File and Print, Remote Desktop, and Universal Plug and Play (UpnP), you can also specify a scope to restrict incoming traffic. When enabling Internet Control Message Protocol (ICMP) traffic, you can specify which ICMP options are permitted.
Configuring Windows Firewall During Deployment
If you haven't yet deployed Windows 2003 SP1 or XP SP2, you can configure Windows Firewall when you deploy the service pack. You can install either service packs in unattended or interactive mode.
Every unattended installation of a service pack uses a file called unattend.txt for initial settings. You can specify Windows Firewall settings in this file in a required section called \[WindowsFirewall\]. This section includes firewall-logging options and the names of profiles that contain the initial firewall settings (profile names are separated by commas).
Each profile is described in its own section in unattend.txt. For typical configurations, you'll want to create two profiles, a Domain profile and a Standard profile. Within each profile section, you specify the type of profile (Domain, Standard, or both); the mode of operation (whether the firewall is on or off); whether to allow exceptions; whether notifications are enabled; whether responses to multicast or broadcast packets are accepted; and the names of sections that describe application exceptions, exceptions for the built-in services (e.g., File and Print, UpnP), port exceptions, and ICMP settings. Each of these named sections contains the initial firewall exceptions applied during installation, and the contents of each correspond to an available GPO. Web Listing 1 shows the sections you'd include in unattend.txt to disable Windows Firewall during service pack installation. You can find more information about using unattend.txt to configure Windows Firewall in the ref.chm Help file, which is in support\tools\deploy.cab file on the service pack CD-ROM.
For an interactive service pack installation, you can configure Windows Firewall settings by using the netfw.inf file. Unlike the unattend.txt file, which contains sections that map to application and port exceptions, in netfw.inf you need to define and write only two sections: ICF.AddReg.DomainProfile and ICF.AddReg.StandardProfile. As the names suggest, the entries in each section map directly to registry entries and define firewall settings and application and port exceptions for the Domain and Standard profiles. For more information about how to use the netfw.inf file, see the white paper Using the Windows Firewall INF File in Windows XP Service Pack 2, which you can download at http://www.microsoft.com/downloads/details.aspx?familyid=cb307a1d-2f97-4e63-a581-bf25685b4c43&displaylang=en.
Configuring Windows Firewall from a Command Line
You can also configure Windows Firewall after you've installed the service packs, by using the Netsh command (netsh.exe). Almost everything that you can do via GPOs you can do with Netsh, which Microsoft has extended to add the firewall context. There are five commands within this context: add, delete, reset, set, and show. You use the add command to add program and port exceptions and use the delete command to delete them. You use the reset command to reset the firewall to the default settings. You use the set command to modify application and port exceptions and to configure ICMP exceptions, logging, multicast, and broadcast packet response exceptions, exceptions for the built-in services, and the operating mode that can be used to enable and disable Windows Firewall on individual interfaces. Web Table 2 summarizes the commands and subcommands in netsh.exe.
Although you can use Netsh in a batch or command script, only an administrator can configure Windows Firewall—and only when the GPO firewall policy allows the administrator to do so. In organizations where end users don't have administrator access, calling a firewall script from a logon script won't work. Instead, you can launch Netsh-based firewall scripts by using startup scripts configured through Group Policy, from one of the Run subkeys in the registry, from Scheduled Tasks on system startup, or by using a resource kit or third-party tool that runs the script as a service.